Why can’t I create or delete Organization config rules?

Last updated: 2022-08-11

When I try to create or delete an AWS Config rule for AWS Organizations, I receive a CREATE_FAILED or DELETE_FAILED error. How can I troubleshoot issues with organization config rules?

Resolution

Various issues can cause organization config rules to not work, including permissions, a member account in an inactive state, or missing configuration recorders.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.

To resolve organization config rule errors, first run the following command to get member account rule failure and success status details. Then, replace your-rule-name with your organization config rule name. The command identifies the specific member accounts in which the rule failed.

aws configservice get-organization-config-rule-detailed-status --organization-config-rule-name your-rule-name

Review the output ErrorCode and ErrorMessage, and then follow these troubleshooting steps:

  • Run the following AWS CLI command or use the Organizations console to verify that the status of all member accounts is Active.
aws organizations list-accounts --query 'Accounts[*].[Id, Status]' --output table
  • Confirm that AWS Config is set up for each member account. You can set up AWS Config manually for a specific member account using the console, the AWS CLI, or AWS CloudFormation. After AWS Config is set up for all member accounts, deploy the rule again.
  • Open the AWS CloudTrail console, and then choose Event history from the navigation pane. To filter the logs, choose Event name from the dropdown list, and then enter PutOrganizationConfigRule or DeleteOrganizationConfigRule in the search field. Review the filtered log results for OrganizationAccessDeniedException errors.
  • Verify that you are calling the PutOrganizationConfigRule API or DeleteOrganizationConfigRule API from the Organizations management account or from a delegated administrator member account. Run the following command from the management account to identify the delegated administrator member account.
aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
  • If you receive OrganizationAccessDeniedException errors, verify that you have the required permissions. The AWS Identity and Access Management (IAM) role for AWS Config must include PutConfigRule, PutOrganizationConfigRule, and DeleteOrganizationConfigRule permissions to create and delete organization config rules.
  • If you receive ResourceInUseException errors, review the error message to identify the cause. If the error message indicates that a remediation action is associated with the rule, then resolve the remediation action. If the error message indicates that the rule status isn't CREATE_SUCCESSFUL, then verify that the AWS Config member account IAM role includes DeleteConfigRule permissions.

Custom organization config rule creation

If the Lambda function resource policy doesn't allow the AWS Config service principal to invoke it, provide permissions by running the add-permission command as follows. Replace function-name with the Lambda function name, Region with your AWS Region, and source-account with the management account ID.

aws lambda add-permission --function-name --region --action "lambda:InvokeFunction" --principal config.amazonaws.com --source-account --statement-id Allow

Note: To grant permissions for multiple member accounts in your organization, the command must be run for each account. Replace source-account with each member account ID.